Skip to content
Release Prefect Operator

fix: allow helm-release workflow to inherit secrets #150

Sign in to view logs

fix: allow helm-release workflow to inherit secrets

fix: allow helm-release workflow to inherit secrets #150

Workflow file for this run

.github/workflows/release.yaml at e9fb565
---
name: Release Prefect Operator
"on":
push:
branches:
- main
tags:
- '*'
pull_request:
branches:
- main
permissions: {}
jobs:
run_unit_tests:
uses: ./.github/workflows/tests.yaml
permissions:
# required by downstream jobs
contents: read
build_and_upload_manifests:
if: github.ref_type == 'tag'
needs: run_unit_tests
permissions:
# required to write artifacts to a release
contents: write
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Install tool dependencies
uses: jdx/mise-action@v2
with:
experimental: true
- name: Package kubernetes manifests & CRDs
run: |
# package just CRDs
cat deploy/charts/prefect-operator/crds/*.yaml > prefect-crds.yaml
make helmbuild
# template the helm chart including the CRDs
helm template prefect-operator deploy/charts/prefect-operator \
--include-crds --set operator.image.tag=${{ github.ref_name }} \
> prefect-operator.yaml
# Remove labels relevant only for Helm installs
yq -i 'del(.metadata.labels."app.kubernetes.io/managed-by")' prefect-operator.yaml
yq -i 'del(.metadata.labels."helm.sh/chart")' prefect-operator.yaml
yq -i 'del(.spec.template.metadata.labels."app.kubernetes.io/managed-by")' prefect-operator.yaml
yq -i 'del(.spec.template.metadata.labels."helm.sh/chart")' prefect-operator.yaml
# Ensure all references to app version match the released version tag
yq -i '(.. | select(tag == "!!str" and . == "v0.0.0")) |= "${{ github.ref_name }}"' prefect-operator.yaml
- name: Upload release assets
run: gh release upload ${{ github.ref_name }} prefect-crds.yaml prefect-operator.yaml
env:
GH_TOKEN: ${{ github.token }}
build_and_push_docker_image:
needs: run_unit_tests
runs-on: ubuntu-latest
# The GitHub environments are created by Terraform and map to Docker Hub repositories:
# - dev: https://hub.docker.com/r/prefecthq/prefect-operator-dev
# - prod: https://hub.docker.com/r/prefecthq/prefect-operator
# The environment will be 'prod' if the GitHub event is a release. Otherwise, it will be 'dev'.
environment: ${{ github.ref_type == 'tag' && 'prod' || 'dev' }}
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
# These credentials are managed in Terraform. Depending on the 'environment' value above,
# these will either be the credentials for 'dev' or 'prod'.
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Docker image metadata
id: metadata
uses: docker/metadata-action@v5
with:
# For jobs on tags, push to the prod repository.
# For all other situations, like pull requests and 'main', push to the dev repository.
images: prefecthq/${{ github.ref_type == 'tag' && 'prefect-operator' || 'prefect-operator-dev' }}
tags: |
type=ref,event=pr
type=ref,event=branch
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.title=prefect-operator
org.opencontainers.image.description=Prefect Operator image
org.opencontainers.image.vendor=Prefect
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
create_helm_release:
if: github.ref_type == 'tag'
needs: build_and_push_docker_image
uses: ./.github/workflows/helm-release.yaml
permissions:
# required by downstream jobs
contents: write
# this is required so that the workflow can read secrets
# from the environment
secrets: inherit